What They Know

Nothing feels more anonymous than browsing the Web. It's just you and your computer, right? Wrong. Web sites track your every move. The government can peek into your e-mail. Your whole identity may be exposed to cybersleuths on both sides of the law. You need to know what they know and what to do about it.

Contents

There's always a chance the personal information you disclose will wind up in a place you'd rather it didn't. You face this risk most everywhere, whether purchasing a jacket from a catalog, signing up for a bank account, or whispering a juicy secret to a friend. "Once an individual puts their private information into the hands of a third party, they lose a reasonable expectation of keeping that information private," says Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center (EPIC), a public-interest group concerned with maintaining privacy on the Net.

Indeed, very few federal laws prevent companies from collecting and divulging your information. "Traditionally, U.S. privacy law has protected us from government intrusion," says John Delaney, an Internet privacy expert and cochair of the new media practice group of Morrison and Foerster, a San Franciscobased law firm. "There have been few restrictions on what businesses can and cannot do with our personal data." Such are the ways of a capitalist society.

The good news is that the personal data you divulge over the Internet often receives greater protection than what you disclose off-line. "There's now a higher standard for protecting the collection of data online than there is for the collection of personal data off-line," says Delaney.

Many people assume just the opposite, but whereas off-line companies have sold and rented their customers' personal information for decades without many people complainingor even realizing itthe media and the public have become quite concerned about the fate of personal data collected over the Internet. This general skepticism about Internet privacyand the watchful eyes of public-interest groups like EPIC and the Center for Democracy and Technologyis the reason there is often greater privacy on the Internet than off.

"Over the past year, all of our clients started asking us what they could do to protect their customers' privacy online," says Mary Rogers, whose firm, Peppers and Rogers Group, advises Fortune 500 companies on their online marketing strategies, which are so dependent on the collection of customer data. Companies are posting legally binding privacy statements on their Web sites, describing what personal information they collect from users and what they do with that information. Some are not only hiring independent privacy auditors like Poneman but also building permanent privacy departments. MSN, for example, affirms that it will never sell rent or lease any of its customers' information, a claim that was unheard of before the rise of the Internet. Note, however, that the company will share aggregated, anonymous information with other parts of Microsoft.

One can argue that data is more vulnerable to theft on the Internet, but that's an issue of security, not privacy. One could also argue that online businesses have access to more data about their customers, but that isn't necessarily the case. Many large companies collect data about where you go and what you do on their various sites, so they can better market their products and services, but they don't always tie that data to your name, address, or phone number. They often know only the online habits of an anonymous person who uses your PC.

ISPs such as AOL and MSN can potentially track the way you behave on any site across the Internet, but most large, well-known ISPs choose not to, and those that do aren't likely to link it to your name. "We don't track that at all," says Andrew Weinstein, an AOL privacy spokesperson. "And even if we did, all the requests that come in for a Web page are anonymous."

This said, you shouldn't indiscriminately divulge personal data on the Web, either. RealNetworks and companies like it, always under public scrutiny because of past run-ins with privacy advocates, may have their act together, but not all sites do. And like the job marketplace site Poneman audited, some companies are unaware that lower-level employees are violating stated privacy policies. There is certainly the potential for invasions of privacy online, but potential needn't translate into disaster.